---
sidebar_label: import
description: |-
  The "transit import" and "transit import-version" commands import the
  specified key into Transit, via the Transit BYOK mechanism.
---

# transit import and transit import-version

The `transit import` and `transit import-version` commands import the
specified key into Transit, via the [Transit BYOK
mechanism](/docs/secrets/transit#bring-your-own-key-byok). The former
imports this key as a new key, failing if it already exists, whereas the
latter will only update an existing key in Transit to a new version of the
key material.

This needs access to read the transit mount's wrapping key (at
`transit/wrapping_key`) and the ability to write to either import
endpoints (either `transit/keys/:name/import` or
`transit/keys/:name/import_version`).

## Examples

Imports a 2048-bit RSA key as a new key:

```
$ bao transit import transit/keys/test-key @test-key type=rsa-2048
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to OpenBao transit.
Success!
```

Imports a new version of an existing key:

```
$ bao transit import-version transit/keys/test-key @test-key-updated
Retrieving transit wrapping key.
Wrapping source key with ephemeral key.
Encrypting ephemeral key with transit wrapping key.
Submitting wrapped key to OpenBao transit.
Success!
```

## Usage

This command does not have any unique flags and respects core OpenBao CLI
commands. See `bao transit import -help` for more information.

This command requires two positional arguments:

 1. `PATH`, the path to the transit key to import in the format of
    `<mount>/keys/<key-name>`, where `<mount>` is the path to the mount
    (using `-namespace=<ns>` to specify any namespaces), and `<key-name>`
    is the desired name of the key.
 2. `KEY`, the key material to import in Standard Base64 encoding (either
    of a raw key in the case of symmetric keys such as AES, or of the DER
    encoded format for asymmetric keys such as RSA). If the value for `KEY`
    begins with an `@`, the CLI argument is assumed to be a path to a file
    on disk to be read.
